Ransomware: Why you mustn't pay the ransom

This is a contributed piece by Dave Venable, VP Cybersecurity at Masergy

A recent report by ESET identified that around a quarter of cyber threats targeting UK businesses are ransomware attacks. This is backed up by findings from the US Federal Bureau of Investigation, which also confirmed there has been an escalation in these types of attacks.

Generally ransom amounts tend to be relatively low, a few hundred pounds. But, don’t pay up and that figure grows significantly, and quickly. Two hospitals in the US recently paid $17,000 each to get data back after not being able to use systems for 10 days.

But, paying up is never a good idea. Whilst paying may seem like an expedient remedy to those who are unprepared for a ransomware attack there are so many unknowns that it’s never worth it.

You are dealing with criminals who are holding your data and files hostage – pay them and there are simply no guarantees that you’ll actually get that information back. Furthermore, there are a number of underground hacker sites that keep track of, and share information, on companies that pay ransoms. Paying up paints a very big target across you and your company’s back.

As with any other IT security operations, planning in advance of an attack is the single best way to combat the ransomware threat.

How to plan for a ransomware attack

It’s pretty clear that your organisation should be ready to confront the ransomware threat, whether hackers target individual employees’ systems and the networks they have access to, or the company’s network at large. The first step, as with any security threat, is educating end users about how ransomware can creep up on them.

Employees should guard against these potential attacks as they would any other kind of malware, starting with common-sense steps – avoid clicking on suspicious links or attachments in emails, for instance.

After the education piece, use technology and backups to put in place protective measures. The simplest and most effective way of combating a ransomware attack is by ensuring you have a regular and rigorous back up schedule. Keep backups off site, and make sure they’re not connected to your other systems, thus preventing your backups from also being infected.

Your plan should also include what to do if you have fallen victim to a ransomware attack – such as who would be in charge of managing the situation, involving external security companies to help mitigate any damage, and most of all, strict instructions not to pay the ransom.

A recent survey by HIMMS Analytics and Healthcare IT News of healthcare organisations in the US found that 73% had a business continuity plan in place, yet almost half said they were unsure if they would or would not pay a ransom demand. HIMMS Analytics’ research director points out that this calls into question how solid those plans really are when dealing with ransomware.

Don’t ignore the simple security tasks

IT’s part in combating attacks against both individual users and enterprise networks includes keeping up with core security tasks that sometimes aren’t as rigorously adhered to as they should be (in an article by Mary Branscombe on IDG Connect, she points to statistics that say it takes an average of 103 days for companies to patch known network and security vulnerabilities).

The job of a CIO is undeniably getting harder. Ransomware attacks that encrypt all the data they can access are a more attractive method to hackers in comparison to individual end user attacks.

Malware authors are intelligent coders – just as you would receive software updates for your programmes, so do ransomware tools. That’s why anti-malware technology isn’t able to simply stop all the attacks – it may stop most, but new versions of ransomware tools are being designed to evade security technologies.

So, inevitably, there’s a chance that you may still fall victim to a ransomware attack. Sadly, this is all too common – UK Parliament, FastMail, police departments and healthcare providers have all been on the receiving end of a ransomware attack. It’s at this point that your business continuity plan will prove invaluable.

All too often, the ransom demand has a very short window for payment – it’s a typical tactic used by cyber criminals into panicking organisations into paying up. But with no guarantees that hacker will restore your data after payment, we would always advise you not to pay out.

There are a number of steps you can take in the wake of an attack – try to isolate the infection, disconnect systems from the internet, turn off Bluetooth and remove any peripherals as soon as you can to help stop the infection spreading further. Don’t pay up. And, unless you have a veritable ransomware expert of your own on staff, call in the experts.

If you’ve rigorously backed up systems on a regular basis then all of the data that’s being held to ransom is simply sitting in your backup waiting to be restored (apart from the data created since the last back up of course).